Cleartext Credential Exposure in Dropbox Desktop Application
CVE-2019-12171

7.8HIGH

Key Information:

Vendor: Dropbox
Status: Dropbox
Vendor: CVE Published:; 8 July 2019

Summary

The Dropbox desktop application version 71.4.108.0 contains a vulnerability where cleartext credentials are stored in memory after user login or account creation. This sensitive information is inadequately handled, leading to potential unauthorized access. The issue arises in Dropbox.exe and the Web Helper component, QtWebEngineProcess.exe, where critical user data remains exposed throughout the application's lifecycle. This flaw highlights the importance of secure memory management to prevent data leaks.

References

https://drive.google.com/open?id=1msz6pb08crPC0VT7s_Z_KTs...

x_refsource_MISC

https://drive.google.com/open?id=1DCGurwRTu0HsUpTglVR0jgI...

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 8, 2019
Vulnerability Reserved
May 17, 2019